FortiAnalyzer not connected-fortinet-FortiOS

FortiAnalyzer not connected-fortinet-FortiOS
0

FortiAnalyzer not connected-fortinet-FortiOS

Vendor: fortinet

OS: FortiOS

Description:
A Fortinet firewall needs to keep a connection with a FortiAnalyzer, otherwise certain services, such as logging, might be impacted. Indeni will alert if the connection is down.

Remediation Steps:
|1. Login via ssh to the Fortinet firewall and run the FortiOS command “get fortianalyzer-connectivity status” to review the connection status and remote disk usage with the FortiAnalyzer unit.
|2. Ensure that the correct log source has been selected in the Log Settings, under GUI Preferences of the Fortinet firewall.
|3. Check the routing and test ping connectivity between the Fortinet Firewall and the FortiAnalyzer (if icmp is allowed).
|4. Check that the TCP port 514 is allowed between the Fortinet firewall and the FortiAnalyzer. For more information check this link: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/FortiAnalyzer.htm#
|5. Check that the DNS lookup on the Fortinet Firewall is operational in case that the FortiAnalyzer’s FQDN needs to be resolved. Try to ping the FQDN of the FortiAnalyzer from the firewall.
|6. Check if the firmware for the firewall and FortiAnalyzer units is compatible. Review the firmware release notes for the compatibility information.
|7. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.

How does this work?
This script logs in to the FortiGate via SSH and retrieves the connectivity status with the FortiAnalyzer by using the FortiOS command “get system fortianalyzer-connectivity status”. This command provides information about the connectivity status and disk usage of the FortiAnalyzer.

Why is this important?
This metric is used to identify the connectivity status of the FortiGate device with the FortiAnalyzer. A FortiAnalyzer unit can log all FortiGate activity that is available for logging, including archiving. Check the link below for more information: https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf

Without Indeni how would you find this?
An admin would need to log into the Fortinet firewall and manually check the current connection status. This information can also be provided via SNMP and logging.

fortios-fortianalyzer-connectivity-status

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/fortinet/fortigate/get_system_fortianalyzer_connectivity.ind

FortinetFortiAnalyzerConnection

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.fortinet

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
/**
  *
  */
case class FortinetFortiAnalyzerConnection() extends StateDownTemplateRule(
  ruleName = "FortinetFortiAnalyzerConnection",
  ruleFriendlyName = "Fortinet Devices: FortiAnalyzer not connected",
  ruleDescription = "A Fortinet firewall needs to keep a connection with a FortiAnalyzer, otherwise certain services, such as logging, might be impacted. Indeni will alert if the connection is down.",
  metricName = "fortios-analyzer-is-connected",
  applicableMetricTag = "name",
  alertItemsHeader = "Affected Connection",
  alertDescription = "The connection between the Fortinet firewall and the FortiAnalyzer is down",
  baseRemediationText =
    """|1. Login via ssh to the Fortinet firewall and run the FortiOS command “get fortianalyzer-connectivity status” to review the connection status and remote disk usage with the FortiAnalyzer unit.
       |2. Ensure that the correct log source has been selected in the Log Settings, under GUI Preferences of the Fortinet firewall.
       |3. Check the routing and test ping connectivity between the Fortinet Firewall and the FortiAnalyzer (if icmp is allowed).
       |4. Check that the TCP port 514 is allowed between the Fortinet firewall and the FortiAnalyzer. For more information check this link: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/FortiAnalyzer.htm#
       |5. Check that the DNS lookup on the Fortinet Firewall is operational in case that the FortiAnalyzer’s  FQDN needs to be resolved. Try to ping the FQDN of the FortiAnalyzer from the firewall.
       |6. Check if the firmware for the firewall and FortiAnalyzer units is compatible. Review the firmware release notes for the compatibility information.
       |7. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.""".stripMargin
  )()